From ac471fd7432906217f7a2d46b37d49b1c9f512ea Mon Sep 17 00:00:00 2001 From: Erik Hubers <2598139-erikhubers@users.noreply.gitlab.com> Date: Sun, 11 Aug 2024 14:52:52 +0200 Subject: [PATCH 1/1] #2: Build and publish Docker images using GitLab CI. --- Add the ability to build & publish a docker image to the Gitlab container registry when tagging a commit. For now we'll publish both tag (i.e. `x.x.x`) and `latest` upon trigger. It's assumed tags are only set on the default branch and only limited amount people have tag rights. As it publishes `latest` it's important not to push breaking / untested releases. If required a more elaborate setup can be created, but let's start somewhere. For now it's assumed in README.md files we're going to publish to the GitLab Container Registry, with $CI_REGISTRY/$CI_REGISTRY_IMAGE variables resolving to `registry.gitlab.com/jirafeau/jirafeau`. Changes: - Fixup of several pre-existing linter errors in `php` files - Cleanup `Dockerfile`, merged `COPY` & `RUN` layers leveraging BuildKit - Added `publish` pipeline step to be triggered using `tags` - Updated docker image related references in `README.md` - Refactored `.gitlab-ci.yaml` to only run `before_script` for linters --- .gitlab-ci.yml | 54 ++++++++++++++++++++++++---------------- Dockerfile | 21 +++++++--------- README.md | 2 +- docker/README.md | 10 ++++---- docker/docker_config.php | 2 +- index.php | 14 +++++------ lib/functions.php | 3 +-- script.php | 18 +++++++------- 8 files changed, 65 insertions(+), 59 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0d2d9c4..bf59897 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,35 +1,45 @@ -# Select docker image from https://hub.docker.com/_/php/ -image: php:8.1 - # Select what we should cache cache: paths: - vendor/ -before_script: - # Install git, the docker php image doesn't have it installed by default - - apt-get update -yqq - - apt-get install git -yqq - - apt-get install zip -yqq - # Enable necessary php extensions - - docker-php-ext-enable curl && docker-php-ext-enable json && docker-php-ext-enable zip && docker-php-ext-enable mbstring && docker-php-ext-enable gd && docker-php-ext-enable pdo_mysql - # Install composer - - curl -sS https://getcomposer.org/installer | php - # Create composer.json file manually, since this is a project without any non-dev dependencies yet - - php composer.phar require --dev php-parallel-lint/php-parallel-lint - - php composer.phar require --dev friendsofphp/php-cs-fixer:3.10.0 - # Install all project dependencies - - php composer.phar install - -# Run tests +# Run tests for php:8.1 job_lint_app_81: image: php:8.1 - script: + before_script: &before_linter_script + # Install git, the docker php image doesn't have it installed by default + - apt-get update -yqq + - apt-get install git -yqq + - apt-get install zip -yqq + # Enable necessary php extensions + - docker-php-ext-enable curl && docker-php-ext-enable json && docker-php-ext-enable zip && docker-php-ext-enable mbstring && docker-php-ext-enable gd && docker-php-ext-enable pdo_mysql + # Install composer + - curl -sS https://getcomposer.org/installer | php + # Create composer.json file manually, since this is a project without any non-dev dependencies yet + - php composer.phar require --dev php-parallel-lint/php-parallel-lint + - php composer.phar require --dev friendsofphp/php-cs-fixer:3.10.0 + # Install all project dependencies + - php composer.phar install + script: &linter_script - ./vendor/bin/parallel-lint --exclude vendor . - ./vendor/bin/php-cs-fixer -vvv fix . --dry-run --using-cache=no --rules=@PSR2 +# Run tests for php:7.4 job_lint_app_74: image: php:7.4 + before_script: *before_linter_script + script: *linter_script + +publish: + image: docker:latest + stage: deploy + services: + - docker:dind script: - - ./vendor/bin/parallel-lint --exclude vendor . - - ./vendor/bin/php-cs-fixer -vvv fix . --dry-run --using-cache=no --rules=@PSR2 + - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" + - docker build -t $CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG . + # If we're on the default branch, also tag the image as latest + - docker build -t $CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG -t $CI_REGISTRY/$CI_REGISTRY_IMAGE:latest . + - docker push $CI_REGISTRY/$CI_REGISTRY_IMAGE --all-tags + only: + - tags diff --git a/Dockerfile b/Dockerfile index 9eb0423..d4854a8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,24 +8,21 @@ RUN apk update && \ ln -snf /usr/share/zoneinfo/Etc/UTC /etc/localtime && \ echo "UTC" > /etc/timezone -COPY docker/cleanup.sh /cleanup.sh -COPY docker/run.sh /run.sh -RUN chmod o=,ug=rx /cleanup.sh /run.sh -COPY docker/docker_config.php /docker_config.php +COPY --chmod=550 docker/cleanup.sh docker/run.sh / +COPY --chmod=640 docker/docker_config.php /docker_config.php -RUN mkdir -p /usr/local/etc/php COPY docker/php.ini /usr/local/etc/php/php.ini COPY docker/lighttpd.conf /etc/lighttpd/lighttpd.conf -# install jirafeau -RUN mkdir /www +# Install Jirafeau WORKDIR /www -# Will ignore some files through .dockerignore -COPY . . -RUN rm -rf docker && \ + +RUN --mount=type=bind,source=.,target=/mnt \ + cp -r /mnt/* /www/ && \ + rm -rf /www/docker && \ touch /www/lib/config.local.php && \ chown -R $(id -u lighttpd).$(id -g www-data) /www && \ - chmod o=,ug=rwX -R /www + chmod 770 /www -CMD /run.sh +CMD ["/run.sh"] EXPOSE 80 \ No newline at end of file diff --git a/README.md b/README.md index 7d89261..4fff851 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Jirafeau project won't evolve to a file manager and will focus to keep a very fe ## Installation This shows how to install Jirafeau by your own, it's quite simple but you can -also use a [docker image](https://hub.docker.com/r/mojo42/jirafeau/) or build +also use a [docker image](https://gitlab.com/jirafeau/Jirafeau/container_registry/) or build it yourself. Check [docker folder](docker/README.md) for more informations. System requirements: diff --git a/docker/README.md b/docker/README.md index 2c56d26..e7e68d7 100644 --- a/docker/README.md +++ b/docker/README.md @@ -7,8 +7,8 @@ Jirafeau is a small PHP application so running it inside a docker container is pretty straightforward. ``` -docker pull mojo42/jirafeau:latest -docker run -it --rm -p 8080:80 mojo42/jirafeau:latest +docker pull registry.gitlab.com/jirafeau:latest +docker run -it --rm -p 8080:80 registry.gitlab.com/jirafeau/jirafeau:latest ``` Then connect on [localhost:8080](http://localhost:8080/). @@ -26,7 +26,7 @@ docker build -t your/jirafeau:latest . You may be interested in running Jirafeau on port 80: ``` -docker run -d -p 80:80 --sysctl net.ipv4.ip_unprivileged_port_start=80 mojo42/jirafeau +docker run -d -p 80:80 --sysctl net.ipv4.ip_unprivileged_port_start=80 registry.gitlab.com/jirafeau/jirafeau ``` Note that Jirafeau image does not provide any SSL/TLS. You may be interested in using [docker compose](https://docs.docker.com/compose/) combined with [Let's Encrypt](https://letsencrypt.org/). @@ -66,7 +66,7 @@ Available options: Example: ``` -docker run -it -p 8080:80 --rm -e ADMIN_PASSWORD='p4ssw0rd' -e WEB_ROOT='jirafeau.mydomain.com/' -e UPLOAD_PASSWORD='foo,bar' -e PREVIEW=0 mojo42/jirafeau:latest +docker run -it -p 8080:80 --rm -e ADMIN_PASSWORD='p4ssw0rd' -e WEB_ROOT='jirafeau.mydomain.com/' -e UPLOAD_PASSWORD='foo,bar' -e PREVIEW=0 registry.gitlab.com/jirafeau/jirafeau:latest ``` ## Data storage @@ -77,7 +77,7 @@ Note that configuration is not stored in /data. Example of using a dedicated volume to store Jirafeau data separately from the container: ``` docker volume create jirafeau_data -docker run -it --rm -p 8080:80 --mount source=jirafeau_data,target=/data mojo42/jirafeau:latest +docker run -it --rm -p 8080:80 --mount source=jirafeau_data,target=/data registry.gitlab.com/jirafeau/jirafeau:latest ``` ## Few notes diff --git a/docker/docker_config.php b/docker/docker_config.php index 634d58b..0becc2d 100644 --- a/docker/docker_config.php +++ b/docker/docker_config.php @@ -194,4 +194,4 @@ function run_setup(&$cfg) } } -run_setup($cfg); \ No newline at end of file +run_setup($cfg); diff --git a/index.php b/index.php index 78c1beb..37dd677 100644 --- a/index.php +++ b/index.php @@ -25,7 +25,7 @@ require(JIRAFEAU_ROOT . 'lib/settings.php'); require(JIRAFEAU_ROOT . 'lib/functions.php'); require(JIRAFEAU_ROOT . 'lib/lang.php'); -if ($cfg['download_password_requirement'] === "generated"){ +if ($cfg['download_password_requirement'] === "generated") { $download_pass = jirafeau_gen_download_pass($cfg['download_password_gen_len'], $cfg['download_password_gen_chars']); } @@ -114,8 +114,8 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {

- +

@@ -206,15 +206,15 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) { echo '' . t('ONE_TIME_DL') . ':'; echo ''; } - if ($cfg['download_password_requirement'] === 'generated'){ + if ($cfg['download_password_requirement'] === 'generated') { echo ''; - }else{ + } else { echo ''; echo ''; diff --git a/lib/functions.php b/lib/functions.php index b3a84ac..4736b7f 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -143,7 +143,6 @@ function jirafeau_human_size($octets) // Convert UTC timestamp to a datetime field function jirafeau_get_datetimefield($timestamp) { - $ts = date_create("@" . $timestamp); $content = '' . date_format($ts, 'Y-m-d H:i') . ' (GMT)'; @@ -1239,7 +1238,7 @@ function jirafeau_encrypt_file($fp_src, $fp_dst) $enc = sodium_crypto_secretstream_xchacha20poly1305_push($crypt_state, $to_enc); if (fwrite($w, $enc) === false) { - return ''; + return ''; } } diff --git a/script.php b/script.php index f32ab20..8ebcce3 100644 --- a/script.php +++ b/script.php @@ -81,13 +81,13 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES) $key = ''; if (isset($_POST['key'])) { $key = $_POST['key']; - if ($cfg['download_password_requirement'] !== 'generated' && $cfg['download_password_policy'] === 'regex'){ - if (!preg_match($cfg['download_password_policy_regex'], $key)){ + if ($cfg['download_password_requirement'] !== 'generated' && $cfg['download_password_policy'] === 'regex') { + if (!preg_match($cfg['download_password_policy_regex'], $key)) { echo 'Error 14: The download password is not complying to the security standards.'; exit; } } - }elseif ($cfg['download_password_requirement'] !== 'optional'){ + } elseif ($cfg['download_password_requirement'] !== 'optional') { echo 'Error 13: The parameter password is required.'; exit; } @@ -175,13 +175,13 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES) $key = ''; if (isset($_POST['key'])) { $key = $_POST['key']; - if ($cfg['download_password_requirement'] !== 'generated' && $cfg['download_password_policy'] === 'regex'){ - if (!preg_match($cfg['download_password_policy_regex'], $key)){ + if ($cfg['download_password_requirement'] !== 'generated' && $cfg['download_password_policy'] === 'regex') { + if (!preg_match($cfg['download_password_policy_regex'], $key)) { echo 'Error 14: The download password is not complying to the security standards.'; exit; } } - }elseif ($cfg['download_password_requirement'] !== 'optional'){ + } elseif ($cfg['download_password_requirement'] !== 'optional') { echo 'Error 13: The parameter password is required.'; exit; } @@ -451,13 +451,13 @@ elseif (isset($_GET['init_async'])) { $key = ''; if (isset($_POST['key'])) { $key = $_POST['key']; - if ($cfg['download_password_requirement'] !== 'generated' && $cfg['download_password_policy'] === 'regex'){ - if (!preg_match($cfg['download_password_policy_regex'], $key)){ + if ($cfg['download_password_requirement'] !== 'generated' && $cfg['download_password_policy'] === 'regex') { + if (!preg_match($cfg['download_password_policy_regex'], $key)) { echo 'Error 14: The download password is not complying to the security standards.'; exit; } } - }elseif ($cfg['download_password_requirement'] !== 'optional'){ + } elseif ($cfg['download_password_requirement'] !== 'optional') { echo 'Error 13: The parameter password is required.'; exit; } -- 2.34.1